sVirt 0.10
----------
Note: this is experimental code for review purposes only.
Project page:
http://www.selinuxproject.org/page/SVirt
Instructions for building and running (SELinux+Fedora)
------------------------------------------------------
1) Install an updated Fedora development system.
2) Ensure SELinux is enabled and in enforcing mode.
3) Configure a simple qemu/kvm VM with the standard Fedora tools (e.g.
virt-manager).
4) Install libselinux-devel
5) Add to ~/.bashrc:
export AUTOBUILD_INSTALL_ROOT=$HOME/builder
6) Check out the libvirt repository from upstream, and build the RPMs,
installing development packages as necessary. Do this by running
"./autobuild" in the libvirt repo. Once configured this way, you can
manually run "make" and "make install" there as needed.
7) With the locally built code installed in AUTOBUILD_INSTALL_ROOT, launch
libvirtd as root as follows (replace jmorris with your own username):
#!/bin/sh
BASE=/home/jmorris/builder
LIBVIRTD=$BASE/sbin/libvirtd
rm -fv $BASE/var/run/libvirtd.pid
$LIBVIRTD $@
8) You should see this libvirt instance running unconfined:
# ps -Z `cat /home/jmorris/builder/var/run/libvirtd.pid`
LABEL PID TTY STAT TIME COMMAND
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 11747 pts/0 S+ 0:00 /home/jmorris/builder/sbin/libvirtd
9) Commands such as "virsh dominfo" should indicate the label of the domain
if it is running. You'll need to ensure you're using the right virsh,
e.g.:
# /home/jmorris/builder/bin/virsh -c \
/qemu+unix:///system?socket=/home/jmorris/builder/var/run/libvirt/libvirt-sock \
dominfo sys1
You may wish to disable the system libvirtd.
10) To run the VM with a different SELinux label, edit the domain's XML
configuration, with "virsh edit", and add the following:
system_u:system_r:virtd_t:s0targeted
before the closing tag.
11) If you run "virsh start", you'll probably get an AVC denial, as there is
no policy to allow the transition. You can generate this via "audit2why
-M", or compile and load the provided svirtdev.te file:
$ make -f /usr/share/selinux/devel/Makefile svirtdev.pp
$ sudo semodule -i svirtdev.pp
Now, when launching the domain, you should see the following AVC
grant message (with the provided policy):
avc: granted { transition } for pid=11933 comm="libvirtd"
path="/usr/bin/qemu-kvm" dev=dm-0 ino=14274514
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=system_u:system_r:virtd_t:s0 tclass=process
This indicates that the domain was correctly launched with the desired
security label.
# pstree -Z `cat /home/jmorris/builder/var/run/libvirtd.pid`
libvirtd(`unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023')
└─qemu-kvm(`system_u:system_r:virtd_t:s0')
├─{qemu-kvm}(`system_u:system_r:virtd_t:s0')
└─{qemu-kvm}(`system_u:system_r:virtd_t:s0')
----